►
From YouTube: OpenSSF November Town Hall Meeting (November 15, 2021)
Description
The OpenSSF Community and Staff give a quarterly update on all things OpenSSF!
A
B
A
A
A
B
B
A
A
Yeah,
I
don't
have
it
right
here,
but
there's
actually
a
whole
book
about
the
lord
music
and
the
lord
of
the
rings.
I
cannot
recommend
it
enough.
It
is
spectacular,
you
know
it
examines
every
motif
and
you
know
how
they
interact
over
time.
You
know
this
is
this.
This
is
that
you
know
the
history
of
the
ring.
Is
this
tune?
This
is
this
and
here's
how
they
interact
here
and
why
they
interact.
It's
just.
B
A
B
So
michael's
covetous
confirmed
he'll
be
able
to
speak
to
it
and
then
yeah.
We
could
just
be
ad
hoc
with
the
others.
I'm
you
know,
even
though
this
is
a
webinar,
I
want
to
keep
it
feeling
casual.
Does
that
make
sense?
Yeah,
oh
and
I
see
we
already
have
two
folks
amir
and
chris
in
our
attendees
list.
Hi.
A
Shyness
is
not
something
I've
been
accused
of
recently,
however,
I
am
properly
caffeinating
with
my
bubbly
caffeine,
so
yeah
chris
chris,
and
we
were
talking
about
lord
of
the
rings
and
the
awesome
music
on
the
awesome
music
score
so
having
nothing
to
do
with
this
particular
webinar.
But
you
know
it's
it's
fun.
I
can
recommend
it.
A
B
B
A
B
B
B
B
So
this
is
intended
to
be
loose,
not
necessarily
you
know,
tightly
polished
and
wired,
but
want
to
hear
from
all
of
you
whether
you've
been
part
of
the
community
for
a
long
time
or
are
brand
new
to
this.
So
please
feel
free
to
engage
as
we
get
going
and
david
I'll
depend
on
you
to
interrupt
me.
If
anything
seems
amiss
as
with
all
linux
foundation
meetings,
we
start
with
the
anti-trust
policy
notice.
B
This
is
just
a
reminder
to
all
of
us
of
why
we're
here
we're
here
to
work
on
open
source
software
and
in
particular,
in
our
case,
improving
the
state
of
open
source
software
and
building
digital
public
goods
is
kind
of
the
new
phrase
catchphrase
I
think,
but
for
a
lot
of
what
we're
doing
here.
But
I,
if
any
of
you
have
any
questions
about
about
this
kind
of
thing,
feel
free
to
consult
the
linux
foundation's
any
choice,
policy
notice
linked
here
or
ask
one
of
us
for
some
more
guidance.
B
B
B
We
have
an
agenda.
That'll
take
us,
probably
through
the
first
25-30
minutes
of
the
hour
together
and
then
leave
the
converse
and
then
leave
the
remaining
30
minutes
for
for
q.
A
I'll
give
a
brief.
You
know
welcome
and
an
update
on
just
the
numbers
and
the
commitments
that
we've
received
and
then
hand
the
mic
off
to
david.
B
To
give
us
a
big
picture
of
what
open
ssf
is
trying
to
to
tackle
out
here
and
then
some
updates
on
some
of
the
projects
either
that
have
just
launched
or
are
already
underway
and
and
then
we'll
leave
the
time
open
for
q
a
so
so,
just
as
a
quick
kind
of
blast.
So
last
month
we
announced
the
not
quite
fair
to
call
it
a
relaunch,
because
this
really
is
about
adding
booster
rockets
to
a
a
rocket
ship.
B
That's
already
was
was
well
on
its
way
to
to
interesting
places,
but
on
october
15th
we
announced
that
cubecon,
the
the
the
the
launch
of
new
commitments,
financial
commitments
from
a
set
of
major
organizations,
some
of
whom
had
been
involved
with
openssf
to
date,
some
of
whom
are
brand
new
to
it.
I
we
had
a
lot
of
press
coverage
from
that
and
we
I
I
always
laugh
at
the
stock
photos
that
folks
decide
to
add
to
cyber
security
articles.
So
I
thought
this
one
was
particularly
cute.
B
I
would
have
hoped
they'd
add
a
stuffed
goose
to
it,
given
our
motto
or
given
our
mascot
and
we'll
have
to
find
some
way
to
get
those
plush
gooses
out
to
as
many
places
as
we
can.
I
know
david
has
one
in
his
background.
If
you
can
see
his
video
he's
holding
it
up,
but
but
it
was
really
great
to
get
the
public
awareness
of
the
importance
of
securing
the
software
supply
chain,
which
is
what
we're
all
about
to
see
the
recognition
for
the
hard
work.
B
That's
already
been
done
by
this
community
and
in
projects
that
have
really
kind
of
been
launched
in
the
periphery
and
under
the
aegis
of
of
this,
like
salsa
and
sig,
store
and
and
other
projects
that
are
that
are
coming
up,
that
you
know
we're
still
sorting
out
how
to
better
more
formally
support
at
open,
ssf
so
really
good.
Last
month
and
the
as
as
many
of
you
know,
that
the
model
for
how
we
at
the
linux
foundation
fund
our
efforts
here.
B
B
B
How
many
of
the
other
logos
here
have
that
many
software
developers
on
staff
it's
crazy
anyways?
So
I
really
happy
to
have
those
organizations
committing
to
this
process
and
a
week
and
a
half
ago
we
hosted
a
governing
board
meeting
on
the
periphery
of
the
linux
foundation.
Member
summit,
where
we
had
representatives
high-level
representatives
from
each
of
these
companies,
in
some
cases
the
cto
of
certain
organizations
or
or
the
cso
or
a
senior
vp
who
manages
security
products.
B
These
are
our
high-level
representatives
committing
not
just
their
organizations
financial
resources
but
time
to
making
this
work.
We
also
have
been
blessed
by
having
a
large
number
of
the
organizations
that
have
been
a
part
of
this
from
the
beginning,
also
signing
up
as
general
members
also
a
financial
commitment,
certainly
a
a
major
one,
especially
for
organizations
that
are
younger
and
and
and
startups
and
and
they're.
Also
saying
this
is
an
important
project.
This
is
something
we
want
to
align
with.
B
So
thank
you
to
all
of
you.
Who've
brought
your
organizations
and
who've
been
involved
in
the
project.
Obviously,
since
the
beginning,
but
who
also
said
hey,
this
is
worth
us
jumping
in
and
committing
to
financially
and
thanks
to
those
commitments
we
now
have.
I
know
two
quadrillion
dollars
is
not
a
phrase.
You
often
hear
said
david
and
chat.
I
I
and
that's
that
is
not
not
a
an
overstatement
in
the
size
it
is.
B
It
is
in
the
thousands
of
trillions
so
we're
at
a
number
a
little
bit
smaller
than
that
so
far,
but
a
number
that
is
still
impressive,
nonetheless,
for
open
source
projects
and-
and
we
do
anticipate
growing
further.
What
we
announced
was
over
10
million
in
new
funding
commitments
from
from
those
organizations
to
these
efforts,
and
just
over
half
of
that
is
coming
from
funding
from
that
membership.
B
What
you
might
call
marketing
and
devrel
and
pr
and
those
kinds
of
things
reaching
both
to
developers,
but
also
to
the
end
user
community
to
help
them
understand.
Why
it's
important
to
tackle
many
of
these
issues?
I
mean
a
lot
of
what
we
need
to
do
is
raise
raise
the
level
of
conversation
out
there
and
and
and
make
people
aware
of
the
good
efforts
in
the
working
groups,
but
also
the
importance
of
tackling
this
problem.
B
B
You
know
third-party
events,
we
haven't
formulated
the
list
exactly
yet
or
really
figured
out
how
and
where
we
want
to
be,
but
think
about
the
typical
security
events
out
there
that
you
know
everybody
in
the
space
is
at
making
sure
that
our
voice
is
there
rises
above
the
noise,
but
also
think
about
the
non-traditional
types
of
I.t
events.
You
know
non-traditional
non-security,
specific,
but
ones
that
have
an
interest
in
that,
for
example,
the
hymns
conference
in
health
I.t,
perhaps
that's
an
event.
B
A
couple
hundred
thousand
to
a
couple
million
dollar
size
funds
for
specific
other
types
of
work,
work
that
can
be
well
scoped,
work
for
which
there's
a
clear
set
of
funders
available
for
that
kind
of
work
and
a
pretty
clear
place
to
put
that
those
funds
to
work
in
a
shovel
ready
kind
of
setting.
For
anyone
who
remembers
that
term
and
and
that's
that's
something
we're
really
eager
to
get
started
on.
B
In
fact,
the
first
of
those
funds
is
kind
of
a
blockbuster
one,
probably
larger
than
than
any
of
other
funds
will
be
out
of
the
gate
and
that's
five
million
dollars
committed
to
the
alpha
omega
project.
Now
we'll
hear
more
about
alpha
mega
later
in
this
call,
but
the
funds
there
will
be
put
towards
some
headcount
to
be
able
to
accomplish
the
goals
of
alpha
omega
some
software
development
and
some
advocacy
work,
and
it's
you
know
these
are.
B
I
should
emphasize
dollar
amounts
that
aren't
the
all
where
that
we're
ever
going
to
raise.
These
are
dollar
amounts
that
are
in
the
form
of
a
commitment
for
2022..
We
all
have
to
show
that
this
is
a
wide
application
of
funding
in
order
to
be
able
to
make
the
case
to
get
the
next
year's.
You
know,
re-up
of
that.
We
cannot
take
any
of
these
dollars
for
granted
that
they'll
come
back
next
year,
but
this
is
money
that
we
intend
to
spend
over
the
course
of
the
next
year.
So
it's
it's
pretty
exciting
stuff.
B
To
give
you
a
little
bit
of
a
by
the
numbers
a
bit
just
to
get
started.
You
know
on
we're
really
just
beginning
our
social
media
presence.
It's
something
that
we've
got
a
you
know
a
somewhat
active
youtube
stream,
a
somewhat
active
linkedin
group.
We
did
refresh
the
website
at
the
beginning
of
the
year,
but
we
also.
Oh
I'm
sorry.
I
skipped
this
this
page.
B
This
is
the
one
that's
perhaps
more
interesting
and
more
fun
in
the
15
months
since
launch,
we've
pulled
together,
68
member
organizations
to
help
us
in
this
effort.
Beyond
those,
though,
what
really
matters
is
the
over
500
576
members
who
the
participating
individuals
who
have
helped
in
the
working
groups
helped
on
the
attack,
helped
get
get
the
projects
out
there
and
running,
and
this
is
a
very
significant
number
we
have.
The
larger
numbers,
of
course,
are
out
just
on
social
media
people
following
what
we
do.
B
That
sort
of
thing
twitter.
That
kind
of
thing,
but
but
also
a
number
to
be
really
proud
of,
is
that
the
edx
courses
that
david
played
a
big
role
in
creating
many
of
you
also
helped
with
have
now
seen
5
300
different
people
register
to
take
those
courses,
and
that's
that
I
mean
if,
if
we
can
get
that
number
into
you
know
another
another
order
of
magnitude
up
this
year.
Think
about
the
impact
that
we'll
have
think
about
the
further
impact
it
could
have
if
we
grow
that
further.
B
This
is
this
is
something
that
really,
I
think,
could
have
a
huge
impact
on
the
security
space
and
with
that
just
kind
of
brief
overview,
I
want
to
pass
the
baton
now
to
david,
to
be
able
to
take
us
into
the
next
to
give
us
the
big
picture
and
a
couple
of
the
the
updates
david
I'll
just
advance.
The
slides
just
tell
me
when,
okay.
A
Okay,
so
I
want
to
just
kind
of
give
a
brief
overview,
particularly
for
those
of
you
who've
not
interacted
very
much
with
the
open
ssf,
yet
we're
hoping
that
you'll
be
convinced
to
become
more
involved
because
we'd
love
even
more
participation.
This
is
a
little
graphic.
That
kind
of
shows
the
current
openness
of
structure.
We
have
a
new
governing
board
which
may
change
this,
but
you
know
I
thought
it'd
be
helpful
to
see
how
it's
structured
today,
at
the
top
we've
got
a
governing
board.
A
Brian's
already
mentioned
that
governing
boards
created
a
couple
of
committees
to
help
it
anywhere
from
public
policy
marketing
budgeting
planning
the
public
policy.
One,
for
example,
is
where,
when
governments
say,
hey
we're
thinking
about
policies
related
to
this
area,
we
would
like
you
know
some
input
advice.
You
know
help
us
understand
this.
We
can
at
least
alert
various
folks
so
that
they
can
be
hey.
This
there's
a
organization.
You
know
government
organization,
which
wants
to
create
reasonable
policies
they're
looking
for
input,
obviously
the
open
ssf
can't.
A
A
We're
actually
expecting
that
when
project
alpha
omega
gets,
you
know
that
when,
when
alpha
omega
gets
running,
it's
going
to
be
a
sibling
of
the
working
groups,
its
own
thing,
it's
it's
a
big
thing
of
its
own,
but
here
what
you'll
see
is
those
working
groups
I
just
listed
a
moment
ago
and
some
of
the
projects
that
they've
been
working
on
and
have
released
things.
So
the
best
practices
is
badge
focus,
though
sorry,
the
best
practices
working
group-
sorry,
identification,
awareness,
education,
security,
best
practice
of
security,
best
practices.
A
This
is
where
things
like
the
ci
best
practices
badge
lives.
The
scorecard
something
called
the
great
mfa
distribution
project,
we'll
talk
about
that
in
a
moment,
collaboration
with
owasp,
cre
and
security,
knowledge
framework
and
the
edx
course
vulnerability.
Disclosure
focuses
on
efficient
vulnerability,
reporting
and
remediation
things
like
there's
a
guide
for
coordinated
vulnerability,
disclosure
for
oss
projects,
identifying
security
threats,
and
it's
a
convoluted
name.
A
Basically,
it's
trying
to
get
information
about
security-related
information
about
projects,
things
like
having
a
collected
set
of
reviews
of
open
source
projects
having
a
dashboard
so
that,
when
you're
interested
in
a
project,
you
can
learn
about
it
securing
critical
projects.
This
is
identification
of
critical,
open
source
projects
which
should
help
things
like
alpha
omega.
A
That's
where
criticality
score
the
harvard
research
to
looking
for
critical
projects,
there's
also
package
feeds
and
package
analysis
looking
for
malicious
code
and
all-star,
we'll
talk
more
about
all
in
in
a
second
security
tooling.
This
is
basically
looking
at
various
tooling
related
issues.
Supply
chain
integrity
is
the
new
name
of
what
was
digital
digital
identity.
At
a
station
I'm
hearing
my
mic
was
a
little
low.
Can
you
hear
me
now
better,
I
hope
so
all
right
so
supply
chain
integrity,
as
I
said,
was
named
digital
identity
asked
at
a
station.
A
A
So
there's
a
lot
of
projects
going
on
and
I
thought
it
might
be
helpful
to
get
an
idea
of
how
the
projects
work
together.
I
there
is.
It
would
actually
take
me
quite
some
time
to
walk
through
this
diagram
and
I'm
not
going
to
try
to
do
that.
I'm
going
to
walk
through
it
at
a
high
level,
but
you
can
see
this
picture
and
walk
through
it
your
own,
but
this
is
the
picture
that
coming
straight
from
salsa.
C
A
Couple
of
cases
it's
a
little
hard
to
do,
there's
multiple
places,
but
nevertheless,
what
I
hope
you
can
see
is
just
the
from
the
placement
of
various
and
sundry
things
that
in
fact,
there's
a
lot
of
different
projects
which
focus
on
different
parts
of
the
problem,
because
no
one
project
is
going
to
resolve
all
security,
related
questions
involving
open
source
software
or
software
in
general,
and
so
different
projects
work
on
different
things
anywhere
from
the
developer.
You
know
managing
the
source
code
managing
the
bill
packaging
it
up
releasing
out
to
consumers.
A
We
want
to
help
developers
select
good
packages
by
providing
them
package
selection
information.
We
want
to
identify
critical
projects
and
improve
them,
and
sadly,
I
suspect,
no
matter
what
we
do.
We're
going
to
have
vulnerability.
Information
occasionally
show
up
for
all
projects.
We
want
to
reduce
it,
but
we're
not
going
to
be
able
to
eliminate
it.
So
we
also
want
to
have
improved
ways
to
share
the
vulnerability
information
process.
A
B
D
Awesome
so
yeah
thanks
everybody
I'm
here
to
talk
about
alpha
omega.
So
this
is
a
project.
It's
designed
to
improve
the
security
posture,
meaning
the
security
quality.
The
actual
you
know,
security
of
open
source
projects
in
two
different
ways.
One
is
through
direct
engagement,
which
means
reaching
out
to
projects
figuring
out
what
they
need
and
helping,
and
the
second
is
by
identifying
critical
vulnerabilities
at
scale.
D
D
It
may
maybe
slightly
more
than
that,
but
it
won't
be.
Fifty
thousand.
These
are
long-term
engagements.
We're
going
to
approach
them
with
a
learning
mindset
reach
out
to
them
talk
to
them
figure
out
what
they
need,
how
what
security
challenges
do
they
have?
They
will
all
be
different
for
each
project
in
some
cases
we'll
be
able
to
help
in
some
cases.
Maybe
we
can't
help
in
some
cases.
Maybe
they
don't
want
our
help
either
way.
D
We
want
to
start
that
conversation,
but
when
they,
when
we
do
agree
on
something
that
we
can
help
with
it,
can
take
many
different
forms.
We
could
help
out
with
threat
modeling
we
could
set
up
automation,
we
could
do
bug
triage,
we
could
in
theory
we
could
fund
a
resource,
a
security
resource
for
that.
For
that
team
we
could
do
a
source
code.
Audit
we
could
basically,
if
they
need,
if
their
biggest
security
challenge,
that
they
need
rocks,
moved
from
point
a
to
point
b.
D
We
should
pick
up
a
shovel
and
help
them
move
rocks
the
most
critical
open
source.
Our
projects
are
the
ones
that
have
a
in
a
higher
than
a
much
higher
than
average
impact
on
the
ecosystem
if
they
were
to
fail
spectacularly
with
a
critical
vulnerability.
The
actual
decision
of
which
projects
are
the
most
critical.
D
The
we've
asked
the
the
critical
projects
working
group
to
help
out
in
in
doing
that
selection
criteria
and
and
kind
of
coming
up
with
that
list,
but
it
would
be
the
the
types
of
projects
and
infrastructure
that
would
make
sense.
So
as
an
example,
a
package
management
system
like
npm
or
pi,
pi
or
rubygems,
are
core
to
the
to
the
ecosystem.
D
D
Looking
for
just
critical
vulnerabilities
backdoors,
custom
malware
things
like
that,
having
security
analysts
triage
the
results
of
that,
so
we're
not
going
to
be
running
the
output
of
a
tool
and
then
automatically
filing
issues
or
throwing
things
over
the
wall.
This
is
this
is
going
to
be
kind
of.
We
want
it
to
be
a
high
quality
experience
for
the
for
the
maintainer
they're,
going
to
get
good
vulnerability.
D
D
The
quality
of
the
tools
have
to
be
near
magical,
which
means
some
of
the
head
count
that
we're
asking
for
for
this
project
is
to
be
tuning
this
continuously.
So
every
time
a
false
positive
comes
up.
We
make
sure
that
the
false
positive
never
comes
up
again
by
tightening
the
rules
and
adding
more
logic.
D
D
Okay,
so
alpha
omega,
we
are
there's
a
public
announcement.
That's
gonna
be
coming
soon.
So
please
don't
like
it's
not
super
secret,
but
don't
please
don't
like
pre-announce
we're
getting
details
on
our
2022
operating
plan.
The
first
four
to
six
months,
I
would
say,
is
going
to
be
a
lot
of
learning,
so
we're
going
to
be
trying
to
be
very
agile
and
just
do
stuff
and
then
learn
and
change.
D
We
are
going
to
be
hiring
some
folks,
so
if
you
have
candidates
that
you
think
would
be
that
you
would
would
kind
of
love.
This
role
ping
me
or
you
ping
me
on
the
slack
channel
too,
that
I
created
for
this
I'll-
have
job
descriptions
out
pretty
shortly.
We're
still
trying
to
figure
out.
Should
these
be
contractors,
should
these
be
full-time
things
like
that,
but
I
think
the
most
important
thing
is
that
we
get
the
right
people
for
this
and
next
slide.
I
think
that
was
it
that.
B
Was
it
thank
you
so
much
michael
and
there
was
a
question
asked
and
answered
about
how
the
projects
will
be
selected.
David
shared
that
you
had
answered,
part
of
that
and
we'll
be
working
with
the
critical
projects
working
group
as
well
to
try
to
figure
out
quantitatively
and
fairly,
which
ones
are
most
critical,
but
there's
always
going
to
be
a
bit
of
a
subjective
part
to
this
as
well.
I
suspect
next
up
on
salsa
abhishek.
Are
you
around
and
able
to
chat.
E
A
E
Yes,
so
salsa
is
stands
for
supply
chain
levels
for
software
artifacts
the
work
started,
I
would
say
two
or
three
months
back
and
we
have
pretty
strong
participation
from
the
community.
So
from
members
at
various
companies
like
vmware
intel
data
dog
city
bank,
to
name
a
few
have
been
involved
in
contributing
to
the
salsa
spec,
so
we
have
released
salsa
v,
0.1
spec
that
is
available
for
the
community
to
review
recently.
E
We
also
came
to
consensus
on
the
salsa
provenance
formats,
which
got
a
significant
revamp
for
usability,
and
next
we
are
looking
to
work
more
on
the
implementation
aspect,
so
creating
more
demos
for
these
different
levels
and
so
that
community
can
easily
update
them
any
questions
on
their
front.
I
think
we
will
do
probably
questions
at
the
end
right.
B
E
E
B
Very
cool,
okay,
great
and
on
the
vulnerability
disclosure
guide,
we
thought
it'd
be
worth
sharing
a
little
bit
about
this.
I
know
jennifer
is
on
the
call.
I
don't
want
to
put
her
on
the
spot
unless
she
wants
to
to
speak
to
it.
I
know
it's
something
that
she's
she's
worked
on
quite
a
bit.
Let's
see
jennifer,
are
you
up
for
sharing
or
or
should
david
cover?
This.
F
Sure
yeah,
no,
I'm
happy
to
jump
in.
Thank
you.
So
the
vulnerability
disclosure
loop,
a
group
which
is
led
by
christopher
robinson
krobe
from
intel,
has
been
working
together
on
a
number
of
things.
The
the
core
of
one
of
these
that
we've
released
recently
is
a
guide
to
coordinated
vulnerability
disclosure.
F
F
We
have
some
open
github
issues
about
some
exciting
things
we
might
do
in
the
future,
like
helping
for
incident
response
or
kind
of
emergency
scenarios
when
teams
are
overwhelmed
by
the
type
of
report
that
they
receive
either
because
they
can't
write
the
patch
or
because
coordination
with
downstream
projects
is
high
impact,
but
difficult
to
to
do
so.
There's
a
lot
of
great
work
in
this
space
and
we
absolutely
welcome
anyone
who
is
interested
in
helping
us
improve
vulnerability.
B
A
Okay,
so
I
don't
think
I
need
to
explain
too
hard
to
many
people
here
that,
unfortunately,
some
of
the
insertions
of
various
malicious
code
and
malicious
package
in
the
past
has
occurred,
because
attackers
managed
to
acquire
passwords,
steal,
basically
stealing
passwords
and
then
exploit
that
to
log
in
as
the
developer
and
distribute
code.
That,
in
fact,
was
not
a
pro
or
a
package
that
was
not
approved
by
the
actual
developer.
A
So
there's
a
solution
for
this,
so
you
know
the
solution
will
be
getting
more
open
source
software
developers
to
use
multi-factor
authentication
tokens.
That
doesn't
mean
it's
impossible
to
steal
credentials,
but
it's
a
whole
lot
harder
when
you've
got
hardware
tokens
instead
of
just
I
gotta
copy
a
couple
characters
down,
I'm
happy
to
say
that
both
google
and
github
have
agreed
to
offer
a
set
of
free
tokens.
Mfa
tokens
to
give
away
to
select
open
source
software
developers,
and
so
this
is
a
project
currently
mined.
A
To
basically
do
some
currently
in
early
stages,
basically
try
to
figure
out
well
who
would
get
those
toke
free,
the
free
ones?
How
do
we
make
sure
these
are?
These
are
distributed
securely
because
we
don't
want
this
to
be
the
best
supply
chain
attack
ever
so
we're
talking
about
you
know
using
coupon
codes
and
so
on.
How
to
measure
impact,
and
probably
the
most
important,
is
how
to
develop
or
point
to
very
simple
short
instructions.
Developers
are
really
busy.
A
A
Using
this
token,
here's
how
you
do
it
simple
short
as
possible
and
focus
on
the
typical
needs
for
open
source
developers,
because
a
lot
of
the
documentation
for
these
is
often
very
generic
and
doesn't
tell
you-
doesn't
skip
those
things,
don't
matter
and
vote
and
doesn't
focus
on
the
here's.
What
you
do
if
you're
interested
in
this
please
get
involved
in
the
best
practices
working
group
really.
A
This
is
one
of
those
things
that
you
know
the
tasks
crosses
across
multiple
working
groups,
but
since
the
expectations,
a
lot
of
the
work
is
really
going
to
be
trying
to
figure
out
what
the
how
to
describe
the
best
practices
as
simple
as
possible.
That's
where
this
lives,
at
least
for
now,
for
more
there's
the
repo
next.
B
E
E
We
are
also
working
on
this
new
github
signing
solution,
not
sorry
not
signing
solution
as
part
of
the
github
code
scanning
pipeline,
so
it's
being
integrated
there
as
an
app
there
and
let's
see
what
else.
Regarding
the
all-star
project,
it's
running
on
more
than
5000
repositories
right
now
and
getting
more
tightly
integrated
with
scorecards
checks,
and
there
is
also
ongoing
collaboration
going
with
six
store
and
salsa
projects
on
how
we
can
show
more
of
the
code.
B
That's
great,
thank
you
so
much
so
that
was
really
just
kind
of
a
a
taster
of
the
fire
hose.
That
is
the
different
projects
going
on
at
at
open
ssf.
You
know
different,
perhaps
than
other
open
source
projects.
You
know,
as
david
mentioned,
we're
predominantly
organized
by
working
group
and
then
there's
projects
within
each
of
the
working
groups.
B
But
if
there's
any
other
efforts
that
anybody
on
the
call
who's
been
involved
with
openssf
wants
to
highlight
before
we
dive
into
you,
know
kind
of
an
open
question
and
answer
time
feel
free
to
to
kind
of
raise
your
hand
and
we'll
try
to
try
to
pick
you
and
and
give
you
the
floor
for
a
little
bit
anything
else
going
on
in
the
open
ssf
land.
That
folks
want
to
want
to
chat
about
or
share.
G
Hi
everyone-
I
just
want
to
give
a
quick
update
on
some
work.
We
just
completed
in
collaboration
with
cncf
reviewing
flux,
a
component
of
kubernetes,
so
we
coordinated
security
engagement
resulting
in
the
patching
of
a
high
severity
cve,
as
well
as
around
21
other
security
improvements
to
the
software.
So
I'm
going
to
be
sharing
that
with
everybody
via
email,
as
well
as
sending
links
to
the
work
groups,
so
you
can
kind
of
go
into
look
at
that
in
detail.
The
full
report
is
published
online,
so
anyone
can
view
it.
So,
thank
you.
A
Brian,
if
I
may
jump
in
real
quick,
I
think
the
flux
thing
is
actually
an
example.
You
know
you
mentioned
hey,
there's
no,
there's
some
code,
but
it's
not
all
code
here.
We're
not
interested
in
taking
over
projects,
we're
very
much
interested
in
working
with
projects
to
help
make
things
better,
and
I
I
think,
if
you
see
a
lot
of
the
things
that
the
openness
has
been
doing,
it's
very
much
helping
successful
projects
succeed
further.
B
B
I
B
Otherwise,
when
it
comes
to
the
things
that
are
kind
of
hard
to
do
and
the
things
for
which
there
aren't
really
great
open
source
equivalents,
such
as
the
kinds
of
tools
you
mentioned,
so
we
already
have
a
couple
of
integrations
already
in
a
tool
that
the
linux
foundation
has
been
using
for
security,
kind
of
analysis
of
its
of
its
projects.
That
will
be
expanding
as
part
of
project
alpha
omega
to
other
other
open
source
projects
and
and
to
to
be
relevant
and
then
involved
with
the
alpha
mega
effort.
B
So
certainly
interested
in
talking
with
you
about
about
other
tools
that
you
think
might
be
appropriate
as
well,
so
feel
free
to
get
in
touch
with
us
off
to
the
side.
To
talk
further
about
that,
thanks
eric.
Thank
you
yeah
jacques.
Let
me
unmute
you
or
allow
you
to
talk
here.
Would
you
like
to
ask
your
question
verbally.
J
D
Michael,
you
want
to
take
that
sure
yeah,
so
so
as
part
of
kind
of
throwing
the
idea
of
alpha
around
we
reached
out
to
about
ten
projects
about
half
of
them
got
back
so,
and
they
were
all
amenable
to
the
idea
of
it.
The
problem
is,
I
don't
want
to
go
too
far
down
the
route
of
making.
It
seem
like
we're
promising
to
do
something
with
them
and
then
pull
the
rug
back.
So
I
was
trying
to
be
very
careful
in
how
we
engage.
D
We
do
have
one
very
high
profile
organization
that
we
have
started
conversations
with
about
a
kind
of
a
marquee
initial
project.
I
don't
want
to
talk
about
that
in
this
kind
of
semi-public
forum,
but
I
can
connect
with
you
offline
about
about
that.
I
would
like
that
to
be
announced
at
the
at
the
public
announce
of
of
alpha
omega
the.
If
you
look
at
the
the
top
projects
of
the
criticality
score
listing.
D
B
Thank
you,
michael
okay.
Well,
we've
turned
through
the
open
questions
in
the
q,
a
tool
I
don't
see.
Anyone
with
their
hand
up
still
anything
else
that
anyone
involved
with
the
project
wants
to
to
toss
out
is
an
update
to
something
that
they've
been
working
on,
or
they
wanted
to
draw
some
some
attention
to.
B
How
about
anything
on
the
periphery
there's
so
many
I
mean
this
is
one
thing:
we're
not
trying
to
be
the
home
for
all
things.
Security.
Our
hope
is
certainly
that
what
we
do
is
inspire
a
whole
lot
of
efforts
in
every
open
source
initiative
to
to
go
and
build
things
and
using
our
standards
using
our
specs,
perhaps
upstreaming
to
us
in
some
ways
here
and
there,
but
but
certainly
lots
of
security
efforts
on
the
periphery.
K
I
did
okay
yeah,
so
I
thought
I
could
mention
a
little
bit.
That's
going
on.
This
is
related
to
the
executive
order,
but
there's
some
great
collaboration.
That's
happening
across
the
salsa
project,
which
is
currently
in
the
open,
ssf
and
then
a
couple
of
projects
that
are
just
outside
of
open
ssf.
One
is
the
entoto
project
and
another
one
is
the
skim
project,
supply
chain
integrity
model
and
the
skim
project.
K
You
know
companies
like
microsoft,
other
companies
that
are
part
of
the
open
ssf
for
describing
our
conformance
to
the
requirements
in
the
executive
order.
So
that's
that's.
It's
happening
kind
of
behind
the
scenes
right
now,
but
hopefully
soon
we'll
be
having
those
discussions
about
the
standard
format
and
the
standard
schemas.
Also
inside
of
the
open
ssf.
The
format
that
we're
starting
with
is
the
intoto
attestation
format,
which
is
currently
used
with
with
salsa.
So,
if
folks
are
interested
in
that,
you
can
do
the
look
up
on
in
total
attestations
and
find
more.
K
The
other
discussions
that
are
going
on
are
around
having
a
common
signing
format
for
all
of
these
supply
chain
attestations,
and
there
are
a
couple
that
are
floating
around
in
different
groups
and
we're
hoping
to
have
discussions-
and
you
know
broader
discussions
and
with
companies
in
ssf
and
have
those
as
part
of
the
the
new
supply
chain,
integrity,
working
group.
So
that's
you
know
some.
Some
of
that
is
there
steps
of
it
that
are
that
are
formed
and
other
things
that
will
be
coming
down
in
the
future.
B
C
Sure
can
you
hear
me?
Okay,
yes,
great
thanks
for
making
a
little
moment
for
me
to
talk
about
you
get
bomb.
This
has
been
work
I
mentioned
at
the
supply
chain,
security
summit
and
anyone
who's
run
in
tomato
hallway
or
online.
Probably
heard
me
talk
a
little
bit
about
it
or
ed.
Warnicky
over
at
cisco
is
also
working
on
this.
B
Thank
you,
ava
yeah.
I
find
it
super
interesting
as
as
a
compliment
to
so
much
of
the
the
rest
of
the
work
that
we're
doing
and
perhaps
something
that
we
can
really
align
very
closely
to
it.
We
had
one
question
in
private
chat
from
mutu
balaraman,
who
asked,
even
though
the
security
risks
are
much
talked
about
for
open
source
software,
how
about
the
license
associated
with
with
open
source
software?
What
are
the
key
risks?
The
organization
should
be
concerned
about
any
projects
focused
on
open
source
licenses.
B
I
will
mention
here
perhaps
that
one
of
the
key
tools
for
licensed
conformance
in
the
open
source
space
has
been
a
standard
called
spdx
that
has
been
developed
by
a
whole
community
of
people
working
under
the
aegis
of
the
linux
foundation,
for
a
long
time
to
try
to
make
sure
that,
given
a
body
of
code
that
you
think
is
open
source
license
is
every
underlying
dependency
every
underlying
bit
actually
open
source
license
and
which
license.
Am
I
allowed
to
redistribute
it
under?
B
You
know,
knowing
that
some
licenses
carry
obligations
on
other
pieces
of
code.
Spdx
is
now
also
really
a
a
key
platform.
A
key
standard
being
looked
at
for
s-bomb
functionality,
which
is
what
the
executive
order
called
for,
and
you
know,
there's
a
couple
of
options
out
there
and
I
think
there's
going
to
be
some
intentful
effort
to
put
those
into
a
box
so
that
we
combine
efforts
there
rather
than
compete
on
something
as
fundamental
as
the
documentation
format
for
a
standard
for
bill
of
materials.
A
Yeah,
just
just
real
quick,
as
for
you
know,
as
far
as
the
licensing
open,
ssf
isn't
particularly
focused
on
licensing
but
obviously
care
about
components.
There's
another
group
open
chain
which
is
actually
a
standard
for
how
to
intake
open
source
software
and
look
at
things
like
licenses
and
so
on.
It's
more
than
that.
But
if
you're
interested
please
go
take
a
look
at
open
chain.
B
B
B
Okay,
well
with
that,
I
want
to
thank
you
all
for
attending
and
I
look
for
the
recording
soon
please
come
to
the
next
town
hall
and
we'll
give
you
all
updates
on
what
we
do.
Then
thank
you,
of
course,
to
to
michael
to
jennifer,
to
abhishek
and
david,
of
course,
for
putting
together
this
great
content
and
all
of
you
for
asking
great
questions,
and
we
will
see
you
all
again
soon.
Thank
you.